MosaicRegressor / LoJax (APT28)

Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.

5 syscalls cited

NtAddBootEntry
Registers a new BOOT_ENTRY in the Boot Configuration Database (BCD) and returns its assigned ID.
NtAddDriverEntry
Registers a new EFI_DRIVER_ENTRY in the firmware so the UEFI environment loads a driver before the OS.
NtModifyDriverEntry
Overwrites an existing EFI_DRIVER_ENTRY identified by its ID, rewriting the UEFI Driver#### NVRAM variable in place.
NtDeleteDriverEntry
Removes a registered EFI_DRIVER_ENTRY by ID, deleting the corresponding UEFI Driver#### NVRAM variable.
NtEnumerateDriverEntries
Returns a packed list of every registered EFI_DRIVER_ENTRY — the UEFI Driver#### variables dispatched before the boot manager.